1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
package fastd
config fastd sample_config
# Set to 1 to enable this instance:
option enabled 0
# Sets a static config file, optional
# Options set via UCI have higher priority that statically configured ones
# list config '/etc/fastd/sample_config/fastd.conf'
# Configures a single static peer from a configuration file
# list config_peer '/etc/fastd/sample_config/sample_peer.conf'
# Sets an additional directory from which peers configurations are read
# The peer list can be reloaded without restarting fastd
# Peer can either be configured via UCI (see examples below) or via peer dirs
# Can't be used in tun mode
# list config_peer_dir '/etc/fastd/sample_config/peers'
# Sets the log level
# Possible values: error, warn, info, verbose, debug
# Default: info
option syslog_level 'info'
# IP address and port of the local end, optional
# 'any' can be used to bind to both IPv4 and IPv6
# If no port is given fastd will bind to a random port
# list bind 'any:1337'
# list bind '0.0.0.0:1337'
# list bind '[::]:1337'
# "method null" uses no encryption or MAC
# "method salsa2012+umac" uses the Salsa20/12 encryption and the UMAC message authentication code
# See the fastd documentation for the other supported encryption methods
list method 'salsa2012+umac'
# "mode tap" will create an ethernet tunnel (tap device),
# "mode tun" will create an IP tunnel (tun device).
option mode 'tap'
# Set the name of the tunnel interface to use
option interface 'tap0'
# option interface 'tun0'
# option interface 'fastd0'
# Sets the MTU of the tunnel interface, default is 1500
# 1426 is a good value that avoids fragmentation for the xsalsa20-poly1305 method
# when the tunnel uses an IPv4 connection on a line with an MTU of 1492 or higher
option mtu 1426
# Enables direct forwaring of packets between peers
# WARNING: Only enable this if you know what you are doing, as this can lead to forwarding loops!
option forward 0
# Disable for compatiblity with fastd v10 and older
option secure_handshakes 1
# Set a packet mark to filter for with iptables or ip rules
# option packet_mark 42
# Socket to get fastd's status
# option status_socket '/var/run/fastd-example.sock'
# Limits the maximum number of connections (optional)
# May also be used in peer groups
# option peer_limit 5
# The secret key
# A keypair can be generated with `fastd --generate-key`
# When the corresponding public key is lost it can be recovered with `/etc/init.d/fastd show-key <config name>`
# option secret '0000000000000000000000000000000000000000000000000000000000000000'
# Sets the user to run fastd as. Defaults to root
# option user 'daemon'
# Sets the group to run fastd as. Defaults to the user's primary group
# option group 'daemon'
# If set to 1, the logs won't contain peers' IP addresses
# option hide_ip_addresses '0'
# If set to 1, the logs won't contain peers' MAC addresses
# option hide_mac_addresses '0'
# If set to 0, peer-specific interfaces will only exist as long as there is an active connection
# option persist_interface '1'
# If fastd was compiled with libcap support, defines how capabilities are handled
# Possible values: 1, 0, early, force (see fastd documentation for a description of the values)
# option drop_capabilities '1'
# Command to configure IP addresses etc. after the tunnel interface is up; $1 will be the interface name (optional)
# option up ''
# Command to execute before the tunnel interface is set down; $1 will be the interface name (optional)
# option down ''
# Commands executed by fastd ($INTERFACE can be used for the interface name; optional)
# All except on_pre_up and on_post_down may also be used in peer groups
# option on_pre_up ''
# option on_up ''
# option on_down ''
# option on_post_down ''
# option on_connect ''
# option on_establish ''
# option on_disestablish ''
# option on_verify ''
config peer sample_peer
# Set to 1 to enable this peer
# In tap mode peers can be reloaded dynamically
option enabled 0
# Controls which instance this peer is associated with
option net 'sample_config'
# Controls which peer group this peer belongs to, optional
# For most use cases peer groups aren't necessary
# option group 'sample_group'
# The peer's public key
option key '0000000000000000000000000000000000000000000000000000000000000000'
# A remote specification consists of an address or a hostname, and a port
# When a hostname is given, it is recommended to specify the address family to use
# It is possible to specify no, one or multiple remotes
# (but all entries must designate the same host as the public key must be unique)
# list remote '192.0.2.1:1337'
# list remote '[2001:db8::1]:1337'
# list remote '"example.com" port 1337'
# list remote 'ipv4 "example.com" port 1337'
# list remote 'ipv6 "example.com" port 1337'
# Setting float to 1 allow incoming connections with this key from other addresses/hostnames/ports than the specified remotes
# option float 0
config peer_group sample_group
# Set to 1 to enable this peer group
option enabled 0
# Controls which instance this peer group is associated with
# Peer groups can't be used in tun mode
option net 'sample_config'
# Allows configuring nested groups
# option parent 'other_group'
# Includes another config file inside the peer group definition
# list config '/etc/fastd/sample_config/sample_group.conf'
# Configures a single static peer from a configuration file
# list config_peer '/etc/fastd/sample_config/sample_peer.conf'
# Configures an additional peer directory for this group
# list config_peer_dir '/etc/fastd/sample_config/peers2'
# Methods set in the peer group override the ones configured in the parent group or globally
# list method 'null'
|
